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OSL Financial Consultancy Limited 


4 Bigby Green, Bigby, Barnetby, North Lincolnshire, DN38 6EE 


The Information Commissioner (“Commissioner”) has decided to issue 
OSL Financial Consultancy Limited (“OSL”) with a monetary penalty 
under section 55A of the Data Protection Act 1998 (“DPA”). The penalty 
is in relation to a serious contravention of Regulation 22 of the Privacy 
and Electronic Communications (EC Directive) Regulations 2003 
(“PECR”). 


This notice explains the Commissioner’s decision. 

Legal framework 

OSL, whose registered office is given above (Companies House 
Registration Number: 06810395) is the organisation stated in this 
notice to have transmitted unsolicited communications by means of 
electronic mail to individual subscribers for the purposes of direct 


marketing contrary to regulation 22 of PECR. 


Regulation 22 of PECR states: 


“(1) This regulation applies to the transmission of unsolicited 
communications by means of electronic mail to individual 


subscribers. 


(2) Except in the circumstances referred to in paragraph (3), a person 
Shall neither transmit, nor instigate the transmission of, unsolicited 
communications for the purposes of direct marketing by means of 
electronic mail unless the recipient of the electronic mail has 
previously notified the sender that he consents for the time being 
to such communications being sent by, or at the instigation of, the 


sender. 


(3) A person may send or instigate the sending of electronic mail for 


the purposes of direct marketing where— 


(a) that person has obtained the contact details of the recipient 
of that electronic mail in the course of the sale or 
negotiations for the sale of a product or service to that 


recipient; 


(b) the direct marketing is in respect of that person’s similar 


products and services only; and 


(c) the recipient has been given a simple means of refusing 
(free of charge except for the costs of the transmission of 
the refusal) the use of his contact details for the purposes 
of such direct marketing, at the time that the details were 
initially collected, and, where he did not initially refuse the 
use of the details, at the time of each subsequent 


communication. 


(4) A subscriber shall not permit his line to be used in contravention of 


paragraph (2).” 


5. Regulation 23 of PECR states: 


“23. A person shall neither transmit, nor instigate the transmission of, 
a communication for the purposes of direct marketing by means of 


electronic mail— 


(a) where the identity of the person on whose behalf the 
communication has been sent has been disguised or 


concealed; 


(b) where a valid address to which the recipient of the 
communication may send a request that such communications 


cease has not been provided.” 


Section 11(3) of the DPA defines “direct marketing” as “the 
communication (by whatever means) of any advertising or marketing 
material which is directed to particular individuals”. This definition also 


applies for the purposes of PECR (see regulation 2(2)). 


Consent is defined in the European Directive 95/46/EC as “any freely 
given specific and informed indication of his wishes by which the data 
subject signifies his agreement to personal data relating to him being 


processed”. 


“Individual” is defined in regulation 2(1) of PECR as “a living individual 


and includes an unincorporated body of such individuals”. 


A “subscriber” is defined in regulation 2(1) of PECR as “a person who is 
a party to a contract with a provider of public electronic 


communications services for the supply of such services”. 


“Electronic mail” is defined in regulation 2(1) of PECR as “any text, 
voice, sound or image message sent over a public electronic 


communications network which can be stored in the network or in the 


Information Commissioner's Office 


recipient’s terminal equipment until it is collected by the recipient and 


includes messages sent using a short message service”. 


10. Section 55A of the DPA (as amended by the Privacy and Electronic 
Communications (EC Directive)(Amendment) Regulations 2011 and the 
Privacy and Electronic Communications (Amendment) Regulations 
2015) states: 


“(1) The Commissioner may serve a person with a monetary penalty if 
the Commissioner is satisfied that - 


(a) there has been a serious contravention of the requirements 
of the Privacy and Electronic Communications (EC 


Directive) Regulations 2003 by the person, 
(b) subsection (2) or (3) applies. 
(2) This subsection applies if the contravention was deliberate. 
(3) This subsection applies if the person - 


(a) knew or ought to have known that there was a risk that 


the contravention would occur, but 


(b) failed to take reasonable steps to prevent the 


contravention.” 


11. The Commissioner has issued statutory guidance under section 55C (1) 
of the DPA about the issuing of monetary penalties that has been 
published on the |CO’s website. The Data Protection (Monetary 
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe 
that the amount of any penalty determined by the Commissioner must 
not exceed £500,000. 
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PECR implements European legislation (Directive 2002/58/EC) aimed at 
the protection of the individual’s fundamental right to privacy in the 
electronic communications sector. PECR was amended for the purpose 
of giving effect to Directive 2009/136/EC which amended and 
strengthened the 2002 provisions. The Commissioner approaches PECR 


so as to give effect to the Directives. 


The provisions of the DPA remain in force for the purposes of PECR 
notwithstanding the introduction of the Data Protection Act 2018 (see 
paragraph 58(1) of Part 9, Schedule 20 of that Act). 


Background to the case 


OSL operates under the trading name MortgageKey and is an 


independent broker providing mortgages and secured loans. 


OSL first came to the attention of the Commissioner during the course 
of an investigation into scams and exploitative marketing surrounding 
the COVID-19 crisis. The investigation identified a number of 
complaints received via the Global System for Mobile Communications 
(“GSMA”) spam reporting service about SMS sent by OSL, trading as 
MortgageKey. 


An example of one of the SMS complained about is: 


“Hi XXX | hope you are well, Its XXX from MortgageKey, you previously 
made a Buy to Let Purchase enquiry with us. Since the Pandemic Buy 
to Let rates have dropped to 1.19% if you are looking to purchase a 
Buy to Let property then please reply with a time that is convenient for 
you or alternatively please call us on 01482 306666 opt 1 and we will 
be free to speak with you. Kind Regards XXX MortgageKey” 
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The Commissioner initially contacted OSL by telephone on 18 J une 

2020 when the complaints and investigative process were discussed 

with one of OSL’s Directors. The Director said that the source of the 

complaints were from remarketing SMS sent to old customers to drum 

up business due to COVID-19. The Commissioner was advised that OSL 

had a new website and privacy policy ready to launch. Further, OSL 

stated that it had previously had an issue with an email unsubscribe 

button not working in 2019 which had been reported to the ICO at that 

time (as the ICO helpline does not record calls this has not been 


corroborated). 


Following this call the Commissioner sent an initial investigation letter 
to OSL on 18 June 2020 which detailed her concerns regarding the 
complaints and specifically OSL’s compliance with Regulations 22 and 
23 of PECR. The letter requested full details of OSL’s direct marketing 
campaign, and evidence of any consent relied upon in respect of 33 
complaints identified between 1 March 2020 and 18 June 2020. 


OSL sent a response on 22 June 2020, confirming that during the 
period 18 June 2019 to 18 June 2020 it sent 174,342 direct marketing 
SMS messages (54,205 of which were sent during the period March to 
June 2020, being the focus of the Commissioner’s investigation into 
COVID-19 related marketing). Information was also provided regarding 
an email sent to 129,939 customers on 17 October 2019 about the 


technical issue with the email unsubscribe button not working. 


OSL provided information regarding the complaints including a record 
of "lead originally received” and “customer date/time replies”. One of 
the complaints shows the lead having been originally received on 4 July 
2019 and replying, in response to an SMS on 1 June 2020: “For the 


78th time, you have the wrong phone number for ‘james’. | have told 
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mortgagkey to delete this number numerous times. If | get one more 
message from message [sic] from mortgagekey | will report you to 
information commissioner”. Three other complaints were shown as 


responding to previous SMS in 2019 with negative responses including 


one specific request to have their details removed. 


OSL explained that it uses Google, Facebook and Bing to generate 
enquiries through its website and that "they have been doing this since 
2015”. 


In response to the Commissioner’s request for evidence of any consent 
being relied upon for the sending of the SMS, details of OSL’s website 
were provided demonstrating where customer details were input 
together with a ‘GET MY QUOTE’ button. Next to this button was a 
paragraph which stated “By clicking ‘GET MY QUOTE’ you are agreeing 
to our Terms and Conditions and Privacy Policy”. The paragraph 
provided a link to their Business Terms & Conditions and Privacy Policy 
which OSL stated “... gives the customer a choice before proceeding 


with MortgageKey”. 


OSL also stated its intention in respect of ‘remedial work’ to send an 
SMS to its database of 177,888 customers enquiring about their 
marketing preferences, whether they wished to remain opted in, and 


including an opt in/opt out box. 


Having received this response the Commissioner on 25 J une 2020 

requested further information from OSL, including enquiries regarding 
customer journeys and email marketing. OSL were also advised that it 
should not carry out further direct marketing until the Commissioner’s 


investigation was complete. 
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OSL responded on 28 June 2020 and included a statement, in regard to 
one particular customers journey, that OSL “used the opt in through 
the website so we have no further evidence of the opt in, we take full 
responsibility for not having an opt in/opt out box (emphasis added).” 
With regard to email marketing OSL confirmed that between the period 
18 June 2019 to 18 June 2020 it sent 1,219,870 marketing emails, of 


which 755,780 were received. 


The Commissioner has made the above findings of fact on the 


balance of probabilities. 


The Commissioner has considered whether those facts constitute 
a contravention of regulation 22 of PECR by OSL and, if so, whether the 


conditions of section 55A DPA are satisfied. 


The contravention 


The Commissioner finds that OSL contravened regulation 22 of PECR. 


The Commissioner finds that the contravention was as follows: 


Between 18 June 2019 to 18 June 2020 OSL transmitted 174,342 


direct marketing SMS without consent, contrary to regulation 22. 


OSL, as the sender of the direct marketing, is required to ensure that it 
is acting in compliance with the requirements of regulation 22 of PECR, 
and to ensure that valid consent to send those messages had been 


acquired. The ICO Direct Marketing Guidance! explains that in order to 


11CO Direct Marketing guidance https: //ico.org.uk/media/1555/direct-marketing- guidance. pdf 
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rely on the soft opt-in, organisations must meet the following criteria: 
e they have obtained the contact details in the course of a 
sale (or negotiations for a sale) of a product or service to that 
person; 
e they are only marketing their own similar products or 
services; and 
e they gave the person a simple opportunity to refuse or opt 
out of the marketing, both when first collecting the details and 


in every message after that. 


In this instance OSL gathered personal data for marketing purposes 
when individuals contacted them via their website for a quote. At no 
point, when individuals entered their data, were they offered the option 
of either opting in or out of marketing, and so valid consent was not 
obtained at that time. The Commissioner is further satisfied that OSL 
cannot rely on the ‘soft opt-in’ exemption provided by regulation 22(3) 
PECR for the purposes of the messages sent on the basis that it failed 
to provide individuals with an opportunity to opt out of the marketing, 
either at the time the details were collected, or at any point 


subsequently. 


The General Data Protection Regulations (GDPR)? which sit alongside 
the PECR, state that consent must be freely given, specific and 
informed and there must be an indication signifying agreement given 
‘by a statement or by a clear affirmative action’. The GDPR is clear that 
consent should not be bundled up as a condition of service unless it is 
necessary for that service. The ICO Direct Marketing guidance also 
recommends that organisations do not make consent to marketing a 


2 GDPR https: //gdpr-info.eu/ 


33. 


34. 


35. 


36. 


37. 


& 
Information Commissioner’s Office 
condition of subscribing to a service unless they can clearly 


demonstrate how consent to marketing is necessary for the service and 


why consent cannot be sought separately. 


In order to obtain a quote from OSL’s website, individuals had to 
complete their details and were not provided with any option to consent 
to marketing, and so OSL made consenting to marketing a condition to 
obtaining a quote. Consenting to marketing is not necessary for the 


provision of a quote and consent should have been sought separately. 


In short, OSL has provided no evidence to support a reliance on 
Regulation 22(3) PECR, or any evidence to demonstrate valid consent 


whatsoever. 


The Commissioner has gone on to consider whether the conditions 


under section 55A DPA are met. 
Seriousness of the contravention 


The Commissioner is satisfied that the contravention identified 

above was serious. This is because between 18 June 2019 to 18 June 
2020, a total of 174,342 direct marketing SMS were sent by OSL. The 
SMS contained direct marketing material for which the subscriber did 
not have adequate consent. In roughly a three and a half month period 


between 1 March 2020 to 18 June 2020, 33 complaints were received. 


OSL informed the Commissioner that it had used the same marketing 
approach since 2015 and so it is reasonable to conclude that a 
significant number of SMS have been sent over that time, although the 


Commissioner does not have figures to support this. 
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The Information Commissioner’s guidance about the issue of monetary 

penalties prepared and issued under section 55C(1) of the Data 

Protection Act 1998 makes clear that an objective approach will be 

taken in considering whether a serious contravention of PECR has 

taken place. The Commissioner is satisfied from the evidence before 

her that in this case a substantial amount of SMS were transmitted 

over a period of 12 months, and potentially as far back as 2015. A 

proportionately small number of complaints is not necessarily reflective 

of the gravity of the potential breach, since it is reasonable to expect 

that only a very small proportion of those who receive an unsolicited 

direct marketing SMS for which they have not consented will take the 

necessary steps to report it, with the majority likely to either delete, or 


ignore it. 


The Commissioner is therefore satisfied that condition (a) from 
section 55A(1) DPA is met. 


Deliberate or negligent contraventions 


The Commissioner has considered whether the contravention identified 


above was deliberate. 


The Commissioner considers that in this case OSL did not deliberately 


contravene regulation 22 of PECR. 


The Commissioner has gone on to consider whether the contravention 
identified above was negligent. This consideration comprises two 


elements: 


Firstly, she has considered whether OSL knew or ought reasonably to 


have known that there was a risk that these contraventions would 
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occur. She is satisfied that this condition is met, not least since the 
issue of unsolicited SMS and emails have been widely publicised by the 
media as being a problem. As a business relying heavily upon direct 
marketing it is reasonable to expect that the directors of OSL would 


have some knowledge of the laws surrounding direct marketing, and 


should be aware of the risks surrounding such activity. 


It is noteworthy that OSL stated that it contacted the ICO in late 2019 
regarding a problem with the unsubscribe option not working on their 
marketing emails, which would demonstrate at least some awareness 


at that time of the rules surrounding direct marketing. 


Beyond the above, the Commissioner has published detailed guidance 
for those carrying out direct marketing explaining their legal obligations 
under PECR. This guidance gives clear advice regarding the 
requirements of consent for direct marketing and explains the 
circumstances under which organisations are able to carry out 
marketing over the phone, by text, by email, by post, or by fax. In 
particular it states that organisations can generally only send, or 
instigate, marketing messages to individuals if that person has 


specifically consented to receiving them 


It is therefore reasonable to suppose that OSL should have been aware 


of its responsibilities in this area. 


Secondly, the Commissioner has gone on to consider whether OSL 
failed to take reasonable steps to prevent the contraventions. Again, 


she is satisfied that this condition is met. 


Such reasonable steps in these circumstances could have included 
putting in place appropriate systems and procedures to ensure that it 


had the specific consent of those to whom it had sent marketing SMS; 
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and adequately recording the source of the data used and evidence of 
any consent obtained. OSL could have used the event in late 2019 of 
the unsubscribe option on its emails failing to work as an opportunity 


to review its direct marketing practices more generally in order to 


ensure compliance with PECR, however OSL failed to do so. 


In the circumstances, the Commissioner is satisfied that OSL failed to 


take reasonable steps to prevent the contraventions. 


The Commissioner is therefore satisfied that condition (b) from section 
55A (1) DPA is met. 


The Commissioner’s decision to impose a penalty 


For the reasons explained above the Commissioner is satisfied that the 
conditions from section 55A(1)DPA have been met in this case. She is 
also satisfied that section 55A(3)DPA and the procedural rights under 


section 55B have been complied with. 


The latter has included issuing a Notice of Intent dated 12 October 


2020 in which the Commissioner set out her preliminary thinking. 


The Commissioner has considered whether, in the circumstances she 
should exercise her discretion so as to issue a monetary penalty. In 
reaching her final view, the Commissioner has taken into account 
representations made by OSL dated 4 November 2020 however there 
is nothing contained therein to dissuade the Commissioner from her 


preliminary view. 


The Commissioner is accordingly entitled to issue a monetary penalty 


in this case. 
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The amount of the penalty 


The Commissioner has taken into account the following 


aggravating features of this case: 


e Contrary to Regulation 23 of PECR, whilst the SMS sent by OSL 
did identify MortgageKey as the sender, they did not provide 
individuals with any means to opt-out or unsubscribe from future 


marketing. 


e It is apparent from the Commissioner’s investigation that OSL 
also conducts direct marketing via email, and during the same 
contravention period as considered in this Notice, OSL sent 
1,219,870 marketing emails, 755,780 of which were confirmed 


as received, in contravention of Regulation 22. 


The Commissioner has considered the likely impact of a monetary 
penalty on OSL, however publicly available recent financial information 
is limited. Accordingly, OSL was invited on 9 November 2020 to 
provide financial representations including any evidence of financial 
hardship, particularly as a result of COVID-19. OSL responded on 10 
November 2020, but documentation supplied was sparse and of limited 
assistance to the Commissioner in assessing OSL’s current financial 
position. In view of OSL’s lack of transparency and co-operation in 
relation to provision of financial documents, the Commissioner saw no 


evidence to dissuade her from her previous assessment. 


The Commissioner’s underlying objective in imposing a monetary 
penalty notice is to promote compliance with PECR. The sending of 


unsolicited marketing messages is a matter of significant public 
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concern. A monetary penalty in this case should act as a general 
encouragement towards compliance with the law, or at least as a 
deterrent against non-compliance, on the part of all persons running 
businesses currently engaging in these practices. The issuing of a 
monetary penalty will reinforce the need for businesses to ensure that 
they are only messaging those who specifically consent to receive 
marketing. 


Taking into account all of the above, the Commissioner has decided 
that the penalty is £50,000 (Fifty thousand pounds). 


Conclusion 
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The monetary penalty must be paid to the Commissioner’s office by 
BACS transfer or cheque by 5 January 2021 at the latest. The 
monetary penalty is not kept by the Commissioner but will be paid into 
the Consolidated Fund which is the Government's general bank account 
at the Bank of England. 


If the Commissioner receives full payment of the monetary penalty by 
4 January 2021 the Commissioner will reduce the monetary penalty 

by 20% to £40,000 (Forty thousand pounds). However, you should be 
aware that the early payment discount is not available if you decide to 


exercise your right of appeal. 


There is a right of appeal to the First-tier Tribunal (Information Rights) 


against: 


(a) the imposition of the monetary penalty and/or; 
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(b) the amount of the penalty specified in the monetary penalty 


notice. 


Any notice of appeal should be received by the Tribunal within 28 days 


of the date of this monetary penalty notice. 
Information about appeals is set out in Annex 1. 


The Commissioner will not take action to enforce a monetary penalty 


unless: 


e the period specified within the notice within which a monetary penalty 
must be paid has expired and all or any of the monetary penalty has 
not been paid; 

e all relevant appeals against the monetary penalty notice and any 
variation of it have either been decided or withdrawn; and 

e the period for appealing against the monetary penalty and any 


variation of it has expired. 


In England, Wales and Northern Ireland, the monetary penalty is 
recoverable by Order of the County Court or the High Court. In 
Scotland, the monetary penalty can be enforced in the same manner as 
an extract registered decree arbitral bearing a warrant for execution 


issued by the sheriff court of any sheriffdom in Scotland. 
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Dated the 2nd day of December 2020 


Andy Curry 

Head of Investigations 

Regulatory Supervision Service 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow Cheshire 

SK9 5AF 
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SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 


RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 


1. Section 48 of the Data Protection Act 1998 gives any person upon 
whom a monetary penalty notice or variation notice has been served a 
right of appeal to the First-tier Tribunal (Information Rights) (the 
‘Tribunal’) against the notice. 


2. If you decide to appeal and if the Tribunal considers: - 


a) 


b) 


that the notice against which the appeal is brought is not in 
accordance with the law; or 


to the extent that the notice involved an exercise of discretion by 
the Commissioner, that she ought to have exercised her 
discretion differently, 


the Tribunal will allow the appeal or substitute such other decision as 
could have been made by the Commissioner. In any other case the 
Tribunal will dismiss the appeal. 


3. You may bring an appeal by serving a notice of appeal on the Tribunal 
at the following address: 


GRC & GRP Tribunals 
PO Box 9300 
Arnhem House 

31 Waterloo Way 
Leicester 

LE1 8DJ 


The notice of appeal should be sent so it is received by the 
Tribunal within 28 days of the date of the notice. 
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b) If your notice of appeal is late the Tribunal will not admit it 
unless the Tribunal has extended the time for complying with this 
rule. 


The notice of appeal should state: - 


a) your name and address/name and address of your representative 
(if any); 


b) an address where documents may be sent or delivered to you; 
C) the name and address of the Information Commissioner; 

d) details of the decision to which the proceedings relate; 

e) the result that you are seeking; 

f) the grounds on which you rely; 


g) you must provide with the notice of appeal a copy of the 
monetary penalty notice or variation notice; 


h) if you have exceeded the time limit mentioned above the notice 
of appeal must include a request for an extension of time and the 
reason why the notice of appeal was not provided in time. 


Before deciding whether or not to appeal you may wish to consult your 
solicitor or another adviser. At the hearing of an appeal a party may 
conduct his case himself or may be represented by any person whom 
he may appoint for that purpose. 


The statutory provisions concerning appeals to the First-tier Tribunal 
(General Regulatory Chamber) are contained in sections 48 and 49 of, 
and Schedule 6 to, the Data Protection Act 1998, and Tribunal 
Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 
2009 (Statutory Instrument 2009 No. 1976 (L.20)). 
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